You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Helmut Schneider <ju...@gmx.de> on 2005/10/24 16:10:36 UTC
[users@httpd] Re: Apache 2.0.55/win32 + OpenSSL 0.9.8a & OWA Reverse Proxy Problems
Manuel Martin (martin@ferber-software.de) wrote:
> since 2.0.55 a reverse SSL-proxy (on Windows 2000) which I setup for MS
> Exchange 2003 Outlook Web Access makes problems. The users stumbled over
> the problem that they cannot attach files to their emails. I tried it
> myself: the attachment seems to be uploaded to the server, but is not
> "registered" by Exchange.
> If I downgrade to 2.0.54 + OpenSSL 0.9.8 (I changed Apache while back to
> make that compilation possible) it works fine again.
> I really suspect this change to be the culprit:
> "SECURITY: CAN-2005-2088 (cve.mitre.org)
> proxy: Correctly handle the Transfer-Encoding and Content-Length
> headers. Discard the request Content-Length whenever T-E: chunked
> is used, always passing one of either C-L or T-E: chunked whenever
> the request includes a request body. Resolves an entire class of
> proxy HTTP Request Splitting/Spoofing attacks. [William Rowe]"
>
> Has anyone run or _not_ run into this problem with this configuration?
Same problem here using apache 2.0.55 on FreeBSD 5.4.
--
Please do not feed my mailbox, Swen still does his job well
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
[users@httpd] Re: Apache 2.0.55/win32 + OpenSSL 0.9.8a & OWA Reverse Proxy Problems
Posted by Helmut Schneider <ju...@gmx.de>.
Helmut Schneider (jumper99@gmx.de) wrote:
> Manuel Martin (martin@ferber-software.de) wrote:
>
>> since 2.0.55 a reverse SSL-proxy (on Windows 2000) which I setup for MS
>> Exchange 2003 Outlook Web Access makes problems. The users stumbled over
>> the problem that they cannot attach files to their emails. I tried it
>> myself: the attachment seems to be uploaded to the server, but is not
>> "registered" by Exchange.
>> If I downgrade to 2.0.54 + OpenSSL 0.9.8 (I changed Apache while back to
>> make that compilation possible) it works fine again.
>> I really suspect this change to be the culprit:
>> "SECURITY: CAN-2005-2088 (cve.mitre.org)
>> proxy: Correctly handle the Transfer-Encoding and Content-Length
>> headers. Discard the request Content-Length whenever T-E: chunked
>> is used, always passing one of either C-L or T-E: chunked whenever
>> the request includes a request body. Resolves an entire class of
>> proxy HTTP Request Splitting/Spoofing attacks. [William Rowe]"
>>
>> Has anyone run or _not_ run into this problem with this configuration?
>
> Same problem here using apache 2.0.55 on FreeBSD 5.4.
http://issues.apache.org/bugzilla/attachment.cgi?id=16744 works fine.
--
Please do not feed my mailbox, Swen still does his job well
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org